Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry

[Andra Zaharia]

As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.

As expected, this strain does not include a killswitch domain, like WannaCry did.

We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied. Uiwix also has self-replicating capabilities, as WannaCry did.

 

[Maxxx58]

LOL, ransomware era is coming

 

[Winter Soldier]

The ransomware's business is huge: it probably may have reached a billion dollars. The "probably" is caused by the fact that not all the affected users denounce what has happened and often they pay out without informing the authorities.

 

[Winter Soldier]

Спасибо за информацию

Please post in English.

 

[Atlas147]

hopefully using the same vulnerabilities as wannacry means that it's already been patched by MS

 

[Davidov]

hopefully using the same vulnerabilities as wannacry means that it's already been patched by MS

Payments have already been distributed but are down to users when I install them.

 

[Solarquest]

As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.

As expected, this strain does not include a killswitch domain, like WannaCry did.

We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied. Uiwix also has self-replicating capabilities, as WannaCry did.

Thank you for the update!
What is VT detection of Uiwix?
Do you have the SHA?
Thank you

 

[konkisko]

Funny that they use the same vulnerability, as it can me somehow a competition between ransomware to infect more computers.

 

[Andra Zaharia]

We'll update the article shortly to include more technical details. Thank for your patience!

 

[curtcobian]

thanks, any info as below??

poc
CnC addr/domain(any diff from Wcry)
additional function

cheers

 

[Solarquest]

Uiwix Ransomware Using EternalBlue SMB Exploit To Infect Victims

Antivirus scan for 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc at 2017-05-18 13:04:07 UTC - VirusTotal

 

[tryfon]

If this gets released and I ran it in a windows VM, would the rest of my computer possibly be encrypted (pretty sure it wouldn't but asking just to make sure)

 

[Peter2150]

Hi Andra

Just a heads up. That Microsoft scanner mentioned in one of your alerts, is not reliable. I scanned my win 7 system as over the years I have hidden many updates. The scanner found all of them and reported them. I wasn't surprised. So I went into windows updates, and used the restore hidden udpates. That found none. Since I've done several off the rollup updates, my system reports it is up to date. It would appear that the rollup updates cleans stuff out. Makes that Microsoft tool of dubious value.

Pete

 

[jamescv7]

The possible killswitch is not on ransomware but through the Worm itself as it will spread through network.

Very clever to see that ransomware are packed to target security holes rather usual execution, and unfortunately many systems are not up to date or even migrating to Linux for long term safe environment.

 

[vemn]

Uiwix Ransomware Using EternalBlue SMB Exploit To Infect Victims

Antivirus scan for 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc at 2017-05-18 13:04:07 UTC - VirusTotal

Able to get a sample?